个人中心
gpt4 book ai didi

java - Spring WebFlow + Spring 安全 : use expression instead of role

转载 作者:行者123 更新时间:2023-11-30 11:04:57 26 4
gpt4 key购买 nike

我创建了一个 CustomWebSecurityExpressionHandler 来通过搜索函数 ID 检查数据库表上的用户。我想通过一些数据库更新和上下文的重新启动来更改我在每个函数上的角色,而无需重新编译和编辑大量的 XML。

我想在 webflow 中使用 SpringSecurityExpression!就像我可以在 Spring 的任何其他部分做的那样......

<?xml version="1.0" encoding="UTF-8"?>
<flow xmlns="http://www.springframework.org/schema/webflow"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/webflow
                          http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">

    <secured attributes="isFUUU('key')" />

    <view-state id="main" view="dashboard/main.html" >
    </view-state>

</flow>

如何让 isFUU("key") 正常工作?需要自定义 CustomAccessDecisionManager 吗?

最佳答案

我找到了解决方法

我必须调试 20 个类的 spring security 和 webflow 才能发现,在 SecurityFlowExecutionListener 中,即使您将 spring security 设置为使用表达式,监听器也将仅基于角色。我发现为了解析表达式 a 需要一个特定类型的配置属性,准确地说是 WebExpressionConfigAttribute。但这不是公开课!!! https://jira.spring.io/browse/SEC-1727 .因此,正如这个 OLD Jira 中所建议的,我需要在同一个包中创建我的 CustomSecurityFlowExecutionListener (org.springframework.security.web.access.expression)

这里是例子

CustomSecurityFlowExecutionListener:

package org.springframework.security.web.access.expression; //First part of the trick!

import foo.bar.example.services.security.CustomAccessDecisionManager; 

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import org.springframework.expression.ExpressionParser;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.webflow.security.SecurityFlowExecutionListener;
import org.springframework.webflow.security.SecurityRule;

/**
 * Force Spring WebFlow Security listener to use expression!
 * 
 * @author roberto.gabrieli
 */
public class CustomSecurityFlowExecutionListener<T > extends SecurityFlowExecutionListener
{

    /**
     * Convert SecurityRule into a form understood by Spring Security Force the usage of WebExpressionConfigAttribute!
     * 
     * @param rule
     *            the rule to convert
     * @return list of ConfigAttributes for Spring Security
     */
    @Override
    @SuppressWarnings("deprecation")
    protected Collection<ConfigAttribute> getConfigAttributes(SecurityRule rule)
    {
        // Get Access Decision Manager to find if has my expression handler
        AccessDecisionManager adm = getAccessDecisionManager();

        ExpressionParser ep = null;
        //  Check if is my CustomAccessDecisionManager so I can use my expressions
        if ( adm instanceof CustomAccessDecisionManager )
        {
            ep = ((CustomAccessDecisionManager) adm).getWebSecurityExpressionHandler().getExpressionParser();
        }

        List<ConfigAttribute> configAttributes = new ArrayList<ConfigAttribute>();
        for ( String attribute : rule.getAttributes() )
        {
            if ( ep != null )
                // this will end the trick with fireworks!
                configAttributes.add(new WebExpressionConfigAttribute(ep.parseExpression(attribute)));
            else
                configAttributes.add(new SecurityConfig(attribute));
        }
        return configAttributes;
    }
}

WebFlow-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:util="http://www.springframework.org/schema/util" xmlns:webflow="http://www.springframework.org/schema/webflow-config"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.1.xsd
        http://www.springframework.org/schema/webflow-config http://www.springframework.org/schema/webflow-config/spring-webflow-config-2.4.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
... 

    <bean id="securityFlowExecutionListener"
        class="org.springframework.security.web.access.expression.MamSecurityFlowExecutionListener">
        <property name="accessDecisionManager" ref="customAccessDecisionManager"/>
    </bean>

...
</beans>

关于java - Spring WebFlow + Spring 安全 : use expression instead of role,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29828569/

26 4 0
文章推荐: java - JMS ConnectionFactory 上的 WebLogic NameNotFoundException
文章推荐: javascript - 字符串模板中的不同 bool 处理?
文章推荐: ios - 动画 View 中的 UIButton 未检测到触摸
文章推荐: java - 使用 spring 注释查看 NoSuchMethodExceptions
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com